AhnLab_template

Size: px

Start display at page:

Download "AhnLab_template"

다혀 운
5 years ago
Views:

1 Injection 기법및분석법 공개버전 안랩시큐리티대응센터 (ASEC) 분석팀차민석책임연구원

Contents 01 02 03 04 05 06 07 왜 Injection 기법인가?

2 Contents 왜 Injection 기법인가? Injection 기법배경지식 DLL Inection 기법 Code Injection 기법유용한도구 Case study 맺음말및과제

3 01 왜 Injection 기법인가?

11 02 Injection 기법배경지식

DLL (Dynamic Link Library) DLL ( 동적링크라이브러리 ) * source : http://ko.

13 DLL (Dynamic Link Library) DLL (Dynamic Link Library) - 응용프로그램의일부를동적으로링크할수있는라이브러리 목적 - 실행모듈만을로드하므로메모리사용량을줄일수있음 - 프로그램의특정부분을변경시키거나향상가능 - 특정모듈만을업그레이드가능 - 메모리에로딩하지않고매핑함으로써메모리절약 장점 - 실행메모리를절약 - 디스크공간절약 - 쉬운업그레이드가능 - 출시후지원가능 - 언어형식이다른여러프로그램지원 ( 함수호출규칙준수 ) - 국가별버전쉽게제작가능 AhnLab, Inc. All rights reserved. 13

DLL (Dynamic Link Library) Visual Studio 를이용하여 DLL

17 DLL (Dynamic Link Library) DLL 은어떻게구현되는가? -- PROCESS -- case DLL_PROCESS_ATTACH: case DLL_PROCESS_DETACH: -- THREAD -- case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: AhnLab, Inc. All rights reserved.

18 DLL (Dynamic Link Library) 암시적링킹 vs 명시적링킹 * 암시적 (Implicit) 링킹 DLL 제작시컴파일러에의해생성된 *.LIB 파일을이용하여사용할함수를링킹 실행바이너리링크단계에서 *.OBJ 파일과 *.LIB 파일을함께링크하여이정보를토대로 Runtime DLL 의함수코드를참조 프로그램실행전에필요한모든 DLL 을메모리에로딩 * 명시적 (Explicit) 링킹실행바이너리단계에서 DLL의함수정보가필요하지않음암시적로딩에비하여구현해야할코드가늘어남사용이필요한시점에필요한 DLL만로딩할수있으며분산로딩가능 AhnLab, Inc. All rights reserved.

19 DLL (Dynamic Link Library) DLL 사용 암시적 (Implicit) 연결을사용하여호출 사용하기는쉬우나사용하고자하는 DLL 의 import 라이브러리를프로젝트로포함시켜야함 (*.Lib) 명시적 (Explicit) 연결을사용하여호출 DLL 로딩과함수의위치, 사용후반환을위한 API호출이뤄짐 LoadLibrary(); GetProcAddress(); Execute_MyDLLFunc(); FreeLibrary(); AhnLab, Inc. All rights reserved.

29 03 DLL Injection 기법

$DLL Injection 종류 (1) AppInit_DLLs 등록 HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\ CurrentVersion\Windows\AppInit_DLLs HKEY_LOCAL_MACHINE\$

33 DLL Injection 종류 (1) AppInit_DLLs 등록 HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\ CurrentVersion\Windows\AppInit_DLLs HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\ CurrentVersion\Windows\LoadAppInit_DLLs User32.dll 의로딩특성을이용한인젝션방법 쉬운만큼단점도많아현재는많이쓰이지않음 AhnLab, Inc. All rights reserved.

$Regkey\...AppInit_DLLs MyDLL1.$ DLL MyDLL2.DLL MyDLL3.DLL... (DLL_PROCESS_ATTACH) AhnLab, Inc.

34 DLL Injection 종류 (1) AppInit_DLLs 등록 [Application] Load User32.dll User32.DLL LoadLibrary(); DLL_PROCESS_ATTACH Regkey\...AppInit_DLLs MyDLL1.DLL MyDLL2.DLL MyDLL3.DLL... (DLL_PROCESS_ATTACH) AhnLab, Inc. All rights reserved.

35 DLL Injection 종류 (2) Windows Hook SetWindowsHookEx() API Idhook : 후킹하고자하는메시지의 ID(ex WH_KEYBOARD) lpfn : MyDLL.DLL 에지정된훅프로시저의주소값 -> GetProcAddress() hmod : MyDLL.DLL 의핸들 ( 이미 LoadLibrary() 시얻음 ) dwthreadid : 후킹할프로세스 (MyDLL.DLL) 을인젝션할 PID -> 0 : 전역훅 AhnLab, Inc. All rights reserved.

DLL Injection 종류 (2) Windows Hook MyDLL.

38 DLL Injection 종류 (3) Remote Thread 이용 가장유연성이뛰어난 DLL 인젝션기법중하나프로세스, 스레드, 동기화, 가상메모리, DLL, 유니코드에대한이해가필요 DLL 을삽입하고자하는대상프로세스의스레드가인젝션할 DLL 에대해 LoadLibrary 를수행 윈도우는 CreateRemoteThread() API 를통해다른프로세스내에새로운스레드를쉽게생성할수있는방법제공 AhnLab, Inc. All rights reserved.

39 DLL Injection 종류 (3) Remote Thread 이용 Chapter1 - Injection 을위한 Target Process 찾기!! DLL Path Chapter2 - Load 할 DLL 의 Path 구성 Target Process Chapter3 - DLL Path 구성을타겟프로세스에삽입 Chapter4 - Target Process 에 Thread 를생성하며, Thread 의시작주소및인자값넘겨주기 Thread 생성 DLL 로드 Chapter5 - DLL 로드 AhnLab, Inc. All rights reserved. 39

DLL Injection 종류 (3) Remote Thread 이용 Thread 의역할은단하나!

DLL Injection 종류 (3) Remote Thread 이용 khandle = GetModuleHandleA("kernel32.

42 DLL Injection 종류 (3) Remote Thread 이용 if(!(process=openprocess(process_all_access,false, pid))) { return FALSE; } Chapter1 - Injection 을위한 Target Process 찾기!! 미션!! 쓰레드의역할은단하나!!!!! DLL 을 LoadLibrary 함수를이용하여로드한다.!! AhnLab, Inc. All rights reserved. 42

43 DLL Injection 종류 (3) Remote Thread 이용 if(!(premotebuf = VirtualAllocEx(process,NULL,strlen(DllPath)+1,MEM_COMMIT,PAGE_READWRITE))) { return FALSE; Chapter1 } - Injection 을위한 Target Process 찾기!! Chapter2 - Load 할 DLL 의 Path 구성 미션!! 쓰레드의역할은단하나!!!!! DLL 을 LoadLibrary 함수를이용하여로드한다.!! AhnLab, Inc. All rights reserved. 43

44 DLL Injection 종류 (3) Remote Thread 이용 if(!(writeprocessmemory(process,premotebuf,dllpath,strlen(dllpath)+1,null))) { return FALSE; } Chapter1 - Injection 을위한 Target Process 찾기!! Chapter2 - Load 할 DLL 의 Path 구성 Chapter3 - DLL Path 구성을타겟프로세스에삽입 미션!! 쓰레드의역할은단하나!!!!! DLL 을 LoadLibrary 함수를이용하여로드한다.!! AhnLab, Inc. All rights reserved.

45 DLL Injection 종류 (3) Remote Thread 이용 thread = CreateRemoteThread(process,0,0,getproc,pRemotebuf,0,0); WaitForSingleObject(thread,INFINITE); Chapter1 - Injection 을위한 Target Process 찾기!! Chapter2 - Load 할 DLL 의 Path 구성 Chapter3 - DLL Path 구성을타겟프로세스에삽입 미션!! 쓰레드의역할은단하나!!!!! DLL 을 LoadLibrary 함수를이용하여로드한다.!! Chapter4 - Target Process 에 Thread 를생성하며, Thread 의시작주소및인자값넘겨주기 AhnLab, Inc. All rights reserved. 45

46 DLL Injection 종류 (3) Remote Thread 이용 thread = CreateRemoteThread(process,0,0,getproc,pRemotebuf,0,0); WaitForSingleObject(thread,INFINITE); 쓰레드동작시시작위치 ( 함수주소 ) 쓰레드동작시매개변수 AhnLab, Inc. All rights reserved. 46

DLL Injection 종류 (3) Remote Thread 이용 완성!

DLL Injection Demo DLL Injection - 대상 Process 선택

DLL Injection Demo DLL Injection - 대상 process 에

DLL Injection Demo DLL Injection - 대상 DLL

51 04 Code Injection 기법

55 Code Injection 방법 (1) OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread SUSPENDED OpenProcess VirtualAllocEx Target Process Malware Malicious Code WriteProcessMemory Private Data CreateRemoteThread AhnLab, Inc. All rights reserved. 55

56 Code Injection 방법 (2) VirtualAllocEx -> InternetReadFile -> JMP VirtualAllocEx Malware JMP Malicious Code Private Data Malicious Code Private Data Malicious Code Private Data AhnLab, Inc. All rights reserved. 56

57 Code Injection 방법 (3) VirtualAllocEx -> WriteProcessMemory -> JMP(Call) or CreateThread Malware Packed (Encrypted) Malicious Code VirtualAllocEx JMP Malicious Code WriteProcessMemory Private Data AhnLab, Inc. All rights reserved. 57

CodeInjection Demo CodeInjection.exe - CodeInjection.

CodeInjection Demo CodeInjection.exe - Notepad.

분석시간 Ollydbg - File -> Open 에서 CodeInjection.

분석시간 Ollydbg - OpenProcess - ProcessID =

분석시간 Ollydbg - VirtualAllocEx - EAX = 009F0000 -

분석시간 Ollydbg - [F7] 혹은 [F8] 로하나씩따라가면서의미파악 -

73 05 유용한도구

Ollydbg OllyDbg 에서 memory 덤프뜨기 - Memory map (Alt+M) 에서원하는 Address 선택 - Dump

79 06 Case study

80 07 맺음말및전망

82 Injection 정리 - DLL Injection vs Code Injection - 원격 injection 은보통 OpenProcess-> VirtualAllocEx-> WriteProcessMemory-> CreateRemoteThread 순 - Key API : VirtualAllocEx, CreateRemotethread - 분석을위해서대상프로세스에미리 BP 걸어두기 AhnLab, Inc. All rights reserved. 82

To do Hooking - http://nagareshwar.securityxploded.

86 D E S I G N Y O U R S E C U R I T Y

DLL Injection

DLL Injection REVERSING CreateRemoteThread() 를중점으로 DLL Injection 에대하여설명 [ Rnfwoa] 김경민 목차 목차 1 개요 1 2 DLL ( Dynamic Link Library ) 2 3 AppInit_DLLs 3 4 원격스레드생성 5 4.1 핸들확보 6 4.2 공간할당 7 4.3 DLL Name 기록 8